1 Answer
1

You can set up a directory so that files created in it belong to a particular group regardless of the effective group ID of the process which creates them. This is called BSD semantics and you should set SGID bit for the directory to enable it:

chgrp domain /var/www/domain
chmod g+s /var/www/domain

This does not change group of the files and directories already in /var/www/domain, you'll need to take care of that manually (for example using -R with chgrp above). Note that all subdirectories subsequently created in the directory will also inherit SGID, automatically enabling BSD semantics for the subdirectores as well.

The same semantics is not possible for the owner, though.

If you need to achieve this for both the owner and the group you probably need to ensure that the code which creates files under /var/www/domain runs with effective user domain and effective group domain. You can use sudo to do this:

sudo -u domain -g domain your_command

If domain is the primary group of user domain, the following will suffice

sudo -u domain your_command

Since this solution easily takes care of both owner and group there is no need for BSD semantics.

If you don't want to change the effective user and group of the process which creates the files (for example because it is a large server performing a number of other unrelated functions), you may need to externalize the part of the functionality which creates the files into a separate process whose effective UID and GID can be changed accordingly or you can use BSD semantics and try to achieve your ultimate goal by relying solely on the group.

I have looked a little at this, but I do not fully understand it. I connect to the server using winscp with the account www-admin. Most of the time I work on different folders and files in the system. I can not do sudo -u domain -g domain for each file in the folder. So if I understand it correctly there is no way of doing this. I don't undrstand what you mean with you may need to externalize the part of the functionality which creates the files
–
Saif BechanDec 24 '11 at 5:14

Well, I didn't know what creates the files. If they were being created by a large monolithic server then you would have to make sure that a smaller process creates the files instead so that its permissions can easily be managed. This doesn't seem to apply in your case anyway.
–
Adam ZalcmanDec 24 '11 at 10:22

You can probably take advantage of SGID and BSD semantics if winscp does not explicitly set group ownership. I tested scp from Mac to Linux and it doesn't, so chances are winscp shouldn't do that either. In this case your files will belong to www-admin:domain. Perhaps appropriate permission setting will let you use this to accomplish your ultimate goal?
–
Adam ZalcmanDec 24 '11 at 10:26

Do you think there is a way I can sudo to another user in winscp. I have checked and the group problem is solved with your method, but actually the user was the most important part. The files can not be owned by www-admin because of security reasons. To make it more complicated the user domain has no login permission.
–
Saif BechanDec 26 '11 at 5:01